The Apache web server must generate a unique session identifier for each session using a FIPS 140-2 approved random number generator.

From Apache Server 2.4 UNIX Server Security Technical Implementation Guide

Part of SRG-APP-000224-WSR-000135

Associated with: CCI-001188

AS24-U1-000490_rule The Apache web server must generate a unique session identifier for each session using a FIPS 140-2 approved random number generator.

Vulnerability discussion

Communication between a client and the Apache web server is done using the HTTP protocol, but HTTP is a stateless protocol. To maintain a connection or session, a web server will generate a session identifier (ID) for each client session when the session is initiated. The session ID allows the Apache web server to track a user session and, in many cases, the user, if the user previously logged on to a hosted application.When a web server accepts session identifiers that are not generated by the web server, it creates an environment where session hijacking, such as session fixation, could be used to access hosted applications through session IDs that have already been authenticated. Forcing the web server to only accept web server-generated session IDs and to create new session IDs once a user is authenticated will limit session hijacking.

Check content

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # httpd -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Verify the "mod_unique_id" is loaded. If it does not exist, this is a finding.

Fix text

Determine the location of the "HTTPD_ROOT" directory and the "httpd.conf" file: # httpd -V | egrep -i 'httpd_root|server_config_file' -D HTTPD_ROOT="/etc/httpd" -D SERVER_CONFIG_FILE="conf/httpd.conf" Load the "mod_unique_id" module. Restart Apache: apachectl restart

Pro Tips

Powered by sagemincer